APIs

Working with rules

Modified: 19 Mar 2019 17:53 UTC

Rules are written in the Aperture policy language
which allows you write rules in a human readable form. The access control system of the Triton Compute Service
uses a subset of the Aperture policy language, and that's what we describe here.

The general form of a rule is:

CAN <actions> [IF | WHEN | WHERE] <conditions>

You can use any of IF, WHEN, or WHERE to make the condition easier to read.

The default permission for all resources is to deny access. The rules of a policy enable access.

This is what rules look like:

CAN getobject and getdirectory IF sourceip = 1.2.3.0/24 OR sourceip = 3.2.1.0/24
CAN putobject IF overwrite = false
CAN getobject IF fromjob = true
CAN putobject IF day IN (Monday, Tuesday, Wednesday, Thursday, Friday)